svn commit: r454471 - head/security/vuxml
Wen Heping
wen at FreeBSD.org
Sun Nov 19 02:38:31 UTC 2017
Author: wen
Date: Sun Nov 19 02:38:29 2017
New Revision: 454471
URL: https://svnweb.freebsd.org/changeset/ports/454471
Log:
- Document vulnerability in www/mediawiki127, www/mediawiki128 and www/mediawiki129.
Modified:
head/security/vuxml/vuln.xml
Modified: head/security/vuxml/vuln.xml
==============================================================================
--- head/security/vuxml/vuln.xml Sun Nov 19 01:06:20 2017 (r454470)
+++ head/security/vuxml/vuln.xml Sun Nov 19 02:38:29 2017 (r454471)
@@ -58,6 +58,58 @@ Notes:
* Do not forget port variants (linux-f10-libxml2, libxml2, etc.)
-->
<vuxml xmlns="http://www.vuxml.org/apps/vuxml-1">
+ <vuln vid="298829e2-ccce-11e7-92e4-000c29649f92">
+ <topic>mediawiki -- multiple vulnerabilities</topic>
+ <affects>
+ <package>
+ <name>mediawiki127</name>
+ <range><lt>1.27.3</lt></range>
+ </package>
+ <package>
+ <name>mediawiki128</name>
+ <range><lt>1.28.2</lt></range>
+ </package>
+ <package>
+ <name>mediawiki129</name>
+ <range><lt>1.29.1</lt></range>
+ </package>
+ </affects>
+ <description>
+ <body xmlns="http://www.w3.org/1999/xhtml">
+ <p>mediawiki reports:</p>
+ <blockquote cite="https://lists.wikimedia.org/pipermail/mediawiki-announce/2017-November/000216.html">
+ <p>security fixes:</p>
+ <p>T128209: Reflected File Download from api.php. Reported by Abdullah Hussam.</p>
+ <p>T165846: BotPasswords doesn't throttle login attempts.</p>
+ <p>T134100: On private wikis, login form shouldn't distinguish between login failure due to bad username and bad password.</p>
+ <p>T178451: XSS when $wgShowExceptionDetails = false and browser sends non-standard url escaping.</p>
+ <p>T176247: It's possible to mangle HTML via raw message parameter expansion.</p>
+ <p>T125163: id attribute on headlines allow raw.</p>
+ <p>T124404: language converter can be tricked into replacing text inside tags by adding a lot of junk after the rule definition.</p>
+ <p>T119158: Language converter: unsafe attribute injection via glossary rules.</p>
+ <p>T180488: api.log contains passwords in plaintext wasn't correctly fixed.</p>
+ <p>T180231: composer.json has require-dev versions of PHPUnit with known security issues. Reported by Tom Hutchison.</p>
+ </blockquote>
+ </body>
+ </description>
+ <references>
+ <cvename>CVE-2017-8808</cvename>
+ <cvename>CVE-2017-8809</cvename>
+ <cvename>CVE-2017-8810</cvename>
+ <cvename>CVE-2017-8811</cvename>
+ <cvename>CVE-2017-8812</cvename>
+ <cvename>CVE-2017-8814</cvename>
+ <cvename>CVE-2017-8815</cvename>
+ <cvename>CVE-2017-0361</cvename>
+ <cvename>CVE-2017-9841</cvename>
+ <url>https://lists.wikimedia.org/pipermail/mediawiki-announce/2017-November/000216.html</url>
+ </references>
+ <dates>
+ <discovery>2017-11-14</discovery>
+ <entry>2017-11-19</entry>
+ </dates>
+ </vuln>
+
<vuln vid="52f10525-caff-11e7-b590-6451062f0f7a">
<topic>Flash Player -- multiple vulnerabilities</topic>
<affects>
More information about the svn-ports-all
mailing list